Breach, Threat Management, Data Security, Encryption, Network Security, Vulnerability Management

Hackers seek payment after break-in on state health care site

Hackers are demanding $10 million to release some eight million patient records claimed to be in their control following the compromise of Virginia's Prescription Monitoring Program (VPMP) website.

Whistleblower site Wikileaks published a copy of the ransom note left by the hackers on the website, which is used by pharmacists to follow incidents of drug abuse. The note said the intruders possessed 8.3 million patient records and 35.6 million prescriptions. Also, the thieves said they created an encrypted backup of the data and deleted the original files.

"For $10 million, I will gladly send along the password," the note said.

Sandra Whitley Ryals, director of the Virginia Department of Health Professions, who is handling press inquiries, did not return a message seeking comment on Tuesday. The VPMP website remains inaccessible, but the ransom note has been taken down.

Security experts said the hack underscores the lack of security many organizations delegate to the web.

"If this all is correct, it indicates that several layers of protection failed at the VPMP," Sans Internet Storm Center handler Bojan Zdrnja wrote Tuesday on the organization's blog. "Without knowing more, we can't say if the web application was good or bad...but one thing that should never happen is [the] ability for a hacker to delete your backups. And indeed, any decent backup system will only allow you to back up the data or read it. Only the backup administrator should be able to delete the backups."

Mary Landesman, senior security researcher at web security firm ScanSafe, said companies increasingly are making it convenient for their employees to work remotely by making data accessible via the web. But this often serves as an invitation to criminals, who can launch attacks, such as SQL injection, to gain access to web server database contents.

She said health care records, in particular, shouldn't be reachable through the internet.

"It's just too risky," she told on Tuesday. "When you're talking about patient data, integrity of data is paramount. It frankly shouldn't be allowed anymore."

This is the second high-profile cyberextortion incident in the past six months. Late last year, pharmacy benefits management firm, Express Scripts, offered a $1 million reward for information leading to the conviction of the peerson who threatened to divulge the personal information of millions of its members. An FBI investigation continues in that case.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.